I have JSON files which I am trying to event split as the JSON contains multiple events within each log. Here is an example of what the log would look like. {
"vulnerability": [
{
"event": {
"sub1": {
"complexity": "LOW"
},
"sub2": {
"complexity": "LOW"
}
},
"id": "test",
"description": "test",
"state": "No Known",
"risk_rating": "LOW",
"sources": [
{
"date": "test"
}
],
"additional_info": [
{
"test": "test"
}
],
"was_edited": false
},
{
"event": {
"sub1": {
"complexity": "LOW"
},
"sub2": {
"complexity": "LOW"
}
},
"id": "test",
"description": "test",
"state": "No Known",
"risk_rating": "LOW",
"sources": [
{
"date": "test"
}
],
"additional_info": [
{
"test": "test"
}
],
"was_edited": false
}
],
"next": "test",
"total_count": 109465
} In this example there would be two separate events that I need extracted out. I am essentially trying to pull out the event1 and event2 nests. Each log should have this same exact JSON format but there could be any number of events included in them. First event {
"event": {
"sub1": {
"complexity": "LOW"
},
"sub2": {
"complexity": "LOW"
}
},
"id": "test",
"description": "test",
"state": "No Known",
"risk_rating": "LOW",
"sources": [
{
"date": "test"
}
],
"additional_info": [
{
"test": "test"
}
],
"was_edited": false
} Second event {
"event": {
"sub1": {
"complexity": "LOW"
},
"sub2": {
"complexity": "LOW"
}
},
"id": "test",
"description": "test",
"state": "No Known",
"risk_rating": "LOW",
"sources": [
{
"date": "test"
}
],
"additional_info": [
{
"test": "test"
}
],
"was_edited": false
} I also want to exclude the opening {
"vulnerability": [ and closing ],
"next": "test",
"total_count": 109465
} portions of the log files. Am I missing something on how to set this sourcetype up? I have the following currently but that does not seem to be working LINE_BREAKER = \{(\r+|\n+|\t+|\s+)"event":
... View more